Security experts at Cisco uncovered a targeted hacking campaign that leveraged AutoIt to spread RAT and other malware via Word documents. The RATs were used to compromise computer of a small number of organizations.
“AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys).”
The attackers behind the targeted attacks used macros as the attack vector, a trend that was already observed by security experts in the last months.
Despite the macros are disabled by default since Office 2007, the experts at Cisco explained that attackers are still able to convince victims to enable them by using social engineering techniques.
“In this case, they’re impersonating a legitimate business. If the message is convincing enough, they could lower their guard and enable macros if they believe doing so will fully render a document or allow them to see the encoding of images a document may contain,” explained the Cisco Talos researcher Alex Chiu. “We’ve seen these techniques used with several targeted Dridex campaigns. They’re taking techniques that are old, and in this case, making them useful again.”
The use of AutoIt is not new in the community of malware authors, in September 2014 a Greek security researcher discovered a new strain of malware spread via spam email infecting rapidly a huge number of machines. The malware appeared as a combination of software AutoIT (Automate day-to-day tasks on computers) and a commercial Keylogger named “Limitless Keylogger.” The researchers highlighted the use of Limitless Keylogger to intercept every keystrokes users press and send them back to the attackers via email, meanwhile, AutoIT was adopted in order to evade detection by Antivirus programs.
In the case of the last targeted campaign, the experts at Cisco revealed that the victim is urged to enable macros on a Word document that pretends to be from a legitimate business. Once the victim enables the macro, it downloads the binary from hxxp://frontlinegulf[.]com/tmp/adobefile.exe where it downloads a binary.
The experts observed that attackers change regularly the malicious payloads, and AutoIt was one of them.
“Utilizing AutoIT within a payload is unique because it is a legitimate management tool. In this attack, AutoIT was utilized to install a Remote Access Trojan (RAT) and maintain persistence on the host in a manner that’s similar to normal administration activity.” states the blog post from Cisco. “Adversaries are using legitimate freeware to fly under the radar,” Chiu said. “It can hide as white noise because it appears as a management task.” Chiu said it’s unknown whether the targeted organizations already were using AutoIt in their environments.
The researchers also discovered that the attackers download on the infected machine a 600MB AutoIt script that includes payload decryption routines, anti analysis modules, and code for the installation of a malware. According to Cisco the AutoIt script also installs either the Cybergate RAT, NanoCore RAT, or the Parite worm.
The researchers explained that the script looks for a particular antivirus installed and if detected, it sleeps for a defined period of time before executing. Once it goes into running mode it tries to disable Windows User Access Control (UAC) in order to establish persistence on the target and decrypt its payload.
(Security Affairs – RAT, AutoIt)